[tor-commits] [webwml/master] Started updating verify signatures page

hiro at torproject.org hiro at torproject.org
Mon Jul 10 08:30:46 UTC 2017


commit 8660abe1d94824795ed7e231f2dbee3eb62852a6
Author: hiromipaw <hiro at torproject.org>
Date:   Fri Jul 7 13:08:25 2017 +0200

    Started updating verify signatures page
---
 docs/en/verifying-signatures.wml | 48 ++++++++++++++++++++++++++++------------
 1 file changed, 34 insertions(+), 14 deletions(-)

diff --git a/docs/en/verifying-signatures.wml b/docs/en/verifying-signatures.wml
index 485e509..c6e3b27 100644
--- a/docs/en/verifying-signatures.wml
+++ b/docs/en/verifying-signatures.wml
@@ -12,24 +12,44 @@
     <h1>How to verify signatures for packages</h1>
     <hr>
 
+    <p>Digital signature is a process ensuring that a certain package was
+    generated by its developers and has not been tampered with. Below we explain
+    why it is important and how to verify that the Tor program you download is
+    the one we have created and has not been modified by some attacker.</p>
+
+    <p>Digital signature is a cryptographic mechanism. If you want to learn more
+    about how it works see <a href="https://www.gnupg.org/documentation/">
+    https://www.gnupg.org/documentation/</a>.</p>
+
     <h3>What is a signature and why should I check it?</h3>
     <hr>
 
-    <p>How do you know that the Tor program you have is really the
-    one we made? Many Tor users have very real adversaries who might
-    try to give them a fake version of Tor — and it doesn't matter
-    how secure and anonymous Tor is if you're not running the real Tor.</p>
+    <p>How do you know that the Tor program you have is really the one we made?
+    Digital signatures ensure that the package you are downloading was created by
+    our developers. It uses a cryptographic mechanism which outputs a sequence of
+    characters that is always the same unless the software has not been tampered
+    with.</p>
+
+    <p>For many Tor users it is important to verify that the Tor software is authentic
+    as they have very real adversaries who might try to give them a fake version
+    of Tor.</p>
 
-    <p>An attacker could try a variety of attacks to get you to download
-    a fake Tor. For example, he could trick you into thinking some other
+    <p>If the Tor package has been modified by some attacker it is not safe to use.
+    It doesn't matter how secure and anonymous Tor is if you're not running the real Tor.</p>
+
+    <p>There are a variety of attacks that can be used to make you download a fake
+    version of Tor. For example, an attacker could trick you into thinking some other
     website is a great place to download Tor. That's why you should
-    always download Tor from <b>https</b>://www.torproject.org/. The
-    https part means there's encryption and authentication between your
-    browser and the website, making it much harder for the attacker
+    always download Tor from <a href="https://www.torproject.org"><b>https</b>://www.torproject.org/</a>.</p>
+
+    <p><a href="https://www.torproject.org">https://www.torproject.org/</a> uses https.
+    Https is the secure version of the http protocol which uses encryption and authentication between your
+    browser and the website. This makes it much harder for the attacker
     to modify your download. But it's not perfect. Some places in the
-    world block the Tor website, making users try <a href="<page
-    docs/faq>#GetTor">somewhere else</a>. Large
-    companies sometimes force employees to use a modified browser,
+    world block the Tor website, making users to download Tor <a href="<page
+    docs/faq>#GetTor">somewhere else</a>.</p>
+
+    <p>Large companies sometimes force employees to use a modified browser,
     so the company can listen in on all their browsing. We've even <a
     href="https://blog.torproject.org/blog/diginotar-debacle-and-what-you-should-do-about-it">seen</a>
     attackers who have the ability to trick your browser into thinking
@@ -93,8 +113,8 @@
     <p>To verify the signature of the package you downloaded, you will need
     to download the ".asc" file as well. Assuming you downloaded the
     package and its signature to your Desktop, run:</p>
-    <pre>"C:\Program Files\Gnu\GnuPg\gpg.exe" --verify
-    C:\Users\Alice\Desktop\torbrowser-install-<version-torbrowserbundle>_en-US.exe.asc
+    <pre>"C:\Program Files\Gnu\GnuPg\gpg.exe" --verify \
+    C:\Users\Alice\Desktop\torbrowser-install-<version-torbrowserbundle>_en-US.exe.asc \
     C:\Users\Alice\Desktop\torbrowser-install-<version-torbrowserbundle>_en-US.exe</pre>
     <p>The output should say "Good signature": </p>
     <pre>





More information about the tor-commits mailing list